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REMARKS 



In response to the Office Action mailed July 16, 2003, the Applicant respectfully requests 
reconsideration. 

To further the prosecution of this application, amendments have been made in the claims, 
as illustrated above under the sub-heading Listing of the Claims. 

Claims 1-46 were previously pending in this application. By this amendment, Applicant 
amends claims 1, 17, 33 and 34. As a result, claims 1-46 are pending for examination, of which 
claims 1, 17, 33, 34, 35, 40, 45 and 46 are independent. 

1. Claims 1-16 Patentably Distinguish Over Nesset in View of Dixon 

Claim 1 stands rejected (Office Action, Pages 3-4) under 35 U.S.C. §103(a) as 
purportedly being unpatentable over U.S. Patent No. 5,968,176 (Nesset) in view of U.S. 
Published Patent Application No. 2003/0084331 Al (Dixon). Applicant respectfully traverses 
this rejection for at least the following reasons. 

1.1 Discussion of Nesset 

Nesset is directed to a system for establishing security functions in a plurality of protocol 
layers to establish a multi-layer firewall in a network. (Col. 1, lines 6-9). By distributing 
firewall functionality of the network in a variety of network devices and end systems that enforce 
the defined policy, a pervasive firewall is implemented. (Col. 3, lines 27-29, 34-35). Nesset 
teaches implementing device-specific network policy, which serves as the fundamental building 
block of the multi-layer firewall system disclosed by Nesset, as will be made clear below. 

Each end system and active network device has one or more network addresses 
associated with its security policy management agent (Col. 7, lines 56-59; FIG. 2). End systems 
(aka, hosts) are the nodes identified in policy statements. Security policy language is used to 
write a set of security policy statements that specify the allowed activity between end systems 
and the network. (Col. 8, lines 2-3, 34-36; Table). A security policy management backend 
creates node-specific security policy configuration data that it distributes to the networks nodes it 
has chosen. The security policy management backend transforms the rules of the security policy 
statements into node-specific configuration data (Col. 9, lines 23-32). 

Nesset discloses that end systems (e.g., 1 1 1, 1 13, 1 14, 1 16 and 1 17) may be remotely 
connected across a Public Switched Telephone Network (PSTN ) 105 to an Access Server 121 of 
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a private network 101 via any of a variety of connection devices, for example, modem 110, 
remote access server 1 12 and terminal server 115 (FIG. 2; Col. 10, lines 24-47). In such a 
remote access configuration, the Access Server may be configured to perform a security service 
called filtering. A more advanced form of filtering establishes filtering rules that apply on a per 
connection basis. That is, when a user establishes a connection through an Access Server, a set 
of filtering rules specific to that user are drawn from a filtering database. These rules are then 
installed into the Access Server, which applies them only to traffic traveling over that 
connection. (Col. 15, line 66-Col. 16, line 12.) 

Significantly, Nesset does notdisclose or suggest a user having an assigned role with 
respect to a network. It follows that Nesset fails to disclose determining the role of a user, and 
configuring a port module of a network device based on the role of a user. 

1.2. Discussion of Dixon 

Dixon is directed to a distributed firewall system providing end-point protection at each 
peer/server. (Page 1, paragraph 1). Dixon discloses that existing security protocols do not 
provide a mechanism to authenticate individual users as opposed to individual machines. 
(Page 2, paragraph 10). 

Dixon discloses a distributed firewall architecture that performs user authentication at a 
first level to establish a user security context for traffic from the user. Once authenticated, an 
authority context provides authorization for subsequent traffic from that user. (Page 2, 
paragraph 1 1). Thus, Dixon teaches implementing user-specific policy as opposed to device- 
specific policy. As is made clear throughout Dixon, this user-specific policy is implemented at 
the end system being used by the user (see FIGS. 3-6; page 4, paragraphs 36-39; page 6, 
paragraphs 52 and 59). 

In contrast to the assertions of the Office Action (page 6, lines 5-7), Dixon does not 
disclose a user having an assigned role with respect to a communications networks. The Office 
Action apparently contends that Dixon teaches roles when it discloses that "Extensions of 
Intranet Key Exchange protocol (IKE) to provide the desired user authentication plus 
application/purpose (identity) are also provided." (Page 2, paragraph 13, lines 2-3). Applicant 
respectfully disagrees, as the cited passage from Dixon makes no mention of roles. Nor is it 
clear from the cited passage how user authentication and application/purpose (identity) has any 
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relationship to a role of a user with respect to a network. In fact, Dixon is silent with respect to a 
user having an assigned role with respect to a network. 

Thus, Dixon does not disclose or suggest determining the role of a user with respect to a 
network, nor configuring a port module of a network device based on a determined role. 

1.3 Combining Nesset and Dixon is Improper 

The combination of Nesset and Dixon is improper because one skilled in the art at the 
time the invention was made would not have been motivated to combine the teachings of Nesset 
and the teachings of Dixon. As described above, Nesset teaches implementing device-specific 
network policy, whereas Dixon discloses implementing user-specific network policy. The Office _ 
Action contends that it would have been obvious for one of skill in the art to combine Nesset and 
Dixon because Dixon discloses problems with device-specific network policy implementation 
that are solved by user-specific implementation. Applicant respectfully disagrees, and submits 
that such reasoning fails to establish a prima facie case of obviousness. 

In contrast to the assertions set forth in the Office Action, one skilled in the art would not 
be motivated to combine the teachings of Nesset with the teachings of Dixon as suggested by the 
Office Action because modifying the system of Nesset to implement user-specific policy would 
change the principle of operation of Nesset. As set forth in MPEP 2143.02 (original 8 th edition 
August, 2001, latest revision February 2003, page 2100-127, second column), "If the proposed 
modification or combination of the prior art would change the principal of operation of the prior 
art invention being modified, then the teachings of the reference are not sufficient to render the 
claims prima facie obvious." In re Ratti, 270 F.2d 810, 123, USPQ 349 (CCPA 1959). As 
discussed above, device-based network policy is a fundamental building block of the system 
disclosed by Nesset, serving as the basis of the entire, complex multi-layer firewall system. 
Modifying Nesset at such a fundamental level, to implement user-based policy as opposed to 
device-based policy would require a substantial redesign of the entire multi-level firewall system 
of Knesset so as to change the basic principle under which the system was designed to operate. 
Therefore, combining Nesset and Dixon would change the principle operation of Nesset. 

1 .4 The Combination of Nesset and Dixon 

Even if combining Nesset and Dixon was proper, which it is not, such combination would 
not disclose or suggest configuring a network device, which serves as a user's entry point to a 
communication network, with packet rules corresponding to an identity of the user, where the 
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user is using a user device directly connected to the network device. As discussed above, Nesset 
discloses establishing a connection across a public network (e.g., a PSTN) between a user and a 
remote access server, and installing filtering rules specific to that user on the access server. 
However, such user is not using a user device that is directly connected to the network device, 
but a user device that is connected remotely through a public network. Dixon fails to remedy 
this deficiency of Nesset. In fact, Dixon teaches away from configuring such a network device 
with packet rules corresponding to an identity of the user. In contrast, Dixon teaches configuring 
the user device itself (i.e., the user's end system) in accordance with the identity of the user. 

Further, in contrast to the assertionof the Office Action, the.hypothetical combination of _ 
Nesset and Dixon would not disclose or suggest determining an assigned role of a user with 
respect to a network, nor configuring a port module of a network device with packet rules 
associated with the assigned role of the user. As set forth above, neither Nesset nor Dixon 
disclose or suggest a use of such roles in configuring the port modules of network devices with 
packet rules. Consequently, the combination of these two references also would not disclose or 
suggest the use of roles. 

1 .5 Claim 1 Patentablv Distinguishes over the Combination of Nesset and Dixon 

Claim 1 has been amended to make clear that the package received in act (B) is received 
at the port module of the network device, not at the device used by the user. Further, claim 1 has 
been amended to include a limitation that "the user is using a user-device that is directly 
connected to the network device." Support for this limitation is found in the specification, on 
page 40, lines 16-18 and page 4, lines 17-26. 

Even if combining Nesset and Dixon were proper, which it is not, claim 1 still 
distinguishes over such combination. Specifically, as set forth above, such combination does not 
disclose or suggest a method of controlling usage, by a user, of network resources of a 
communications network beyond a network device of the communications network that serves as 
the user's entry point to the communications network, the method comprising, inter alia, an act 
of configuring a port module of the network device with one or more packet rules corresponding 
to an identity of the user, wherein the user is using a user device directly connected to the 
network device as recited in claim 1 . 
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Therefore, for at least the above reasons, claim 1 is not rendered obvious by Nesset in 
view of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 1 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. 

Claims 2-16, which each depend directly or indirectly from claim 1, are patentable over 
the art of record for at least the same reasons as claim 1. Accordingly, Applicant respectfully 
requests that the rejections of claims 2-16 be withdrawn. 

2. Claims 17-32 Patentablv Distinguish Over Nesset in View of Dixon 

Claim 17 stands-rejected under 35-U.S.C. §1 03(a) as purportedly being unpatentable over 

Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above with 
respect to claim 1, combining Nesset and Dixon is improper. Further, even if combining these 
references were proper, claim 17 still distinguishes over such combination. Specifically, such 
combination does not teach or suggest a network device serving as an entry point to a 
communications network for a user and operative to control usage of network resources by the 
user beyond the network device, the network device comprising: a port module including port 
configuration logic to configure the port module with one or more packet rules 
corresponding to an identity of the user, wherein the user is using a user device that is 
directly connected to the network device, the port module further including a physical port to 
receive a packet from the user device and rule application logic to apply the one or more packet 
rules to the received packet before using any of the network resources beyond the network 
device, as recited in claim 17. 

Therefore, for at least these reasons, claim 17 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 17 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. Claims 18-32, which 
each depend from claim 17, are patentable over the art of record for at least the same reasons as 
claim 17. Accordingly, Applicant respectfully requests that the rejections of claims 18-32 be 
withdrawn. 

3. Claim 33 Patentablv Distinguishes Over Nesset in View of Dixon 

Claim 33 stands rejected under 35 U.S.C. §103(a) as purportedly being unpatentable over 
Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above with 
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respect to claim 1, combining Nesset and Dixon is improper. Further, even if combining these 
references were proper, claim 33 still distinguishes over such combination. Specifically, such 
combination does not teach or suggest a network device serving as an entry point to a 
communications network for a user, the network device operative to control usage of network 
resources beyond the network device by the user and comprising: a port module including a 
physical port to receive a packet from a device used by the user and rule application logic to 
apply one or more packet rules to the received packet before using any of the network resources 
beyond the network device; and means for configuring the port module with the one or more 

packet rules based on an identity of the user, wherein the user device is directly connected _ 

to the network device, as recited in claim 33. 

Therefore, for at least these reasons, claim 33 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 33 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. 

4. Claim 34 Patentablv Distinguishes Over Nesset in View of Dixon 

Claim 34 stands rejected under 35 U.S.C. §103(a) as purportedly being unpatentable over 
Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above with 
respect to claim 1, combining Nesset and Dixon is improper. Further, even if combining these 
references were proper, claim 34 still distinguishes over such combination. Specifically, such 
combination does not teach or suggest a computer program product, comprising: a computer- 
readable medium; and computer-readable signals stored on the computer-readable medium that 
define instructions that, as a result of being executed by a computer, instruct the computer to 
perform a process of controlling usage of network resources, by a user, of a communications 
network beyond a network device of the communications network that serves as the user's entry 
point to the communications network, the process comprising acts of: (A) configuring a port 
module of the network device with one or more packet rules corresponding to an identity of 
the user, wherein the user is using a user device directly connected to the network device; 
(B) receiving, at the port module, a packet from the user device; and (C) before using any of the 
network resources beyond the network device, applying the one or more packet rules to the 
received packet, as recited in claim 34. 
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Therefore, for at least these reasons, claim 34 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 34 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. 

5. Claims 35-39 Patentablv Distinguish Over Nesset in View of Dixon 

Claims 35-39 stand rejected under 35 U.S.C. §103(a) as purportedly being unpatentable 
over Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above 
with respect to claim 1, combining Nesset and Dixon is improper. Further, even if combining 



-- - these references were proper,- claim 3 5-StilLdistinguishes over such combination. Specifically, 



such combination does not teach or suggest a method of controlling usage of network resources 
of a communications network by a user, wherein the user has an assigned role with respect to 
the communications network, and the assigned role is associated with one or more packet 
rules, each packet rule including a condition and action to be taken if a packet received at a 
device satisfies the condition, the method comprising acts of: (A) receiving a packet including 
identification information of the user from a device of the user at a port module of a network 
device; (B) determining the assigned role of the user based on the identification 
information; and (C) configuring the port module with the one or more packet rules 
associated with the assigned role of the user, as recited in claim 35. 

Therefore, for at least these reasons, claim 35 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 35 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. Claims 36-39, which 
each depend from claim 35, are patentable over the art of record for at least the same reasons as 
claim 35. Accordingly, Applicant respectfully requests that the rejections of claims 36-39 be 
withdrawn. 

6. Claims 40-44 Patentablv Distinguish Over Nesset in View of Dixon 

Claims 40-44 stand rejected under 35 U.S.C. §103(a) as purportedly being unpatentable 
over Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above 
with respect to claim 1, combining Nesset and Dixon is improper. Further, even if combining 
these references were proper, claim 40 still distinguishes over such combination. Specifically, 
such combination does not teach or suggest a system for controlling usage of network resources 
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of a communications network by a user, wherein the user has an assigned role with respect to 
the communications network, and the assigned role is associated with one or more packet 
rules, each packet rule including a condition and action to be taken if a packet received at a 
device satisfies the condition, the system comprising: a port module including a physical port to 
receive a packet including identification information of the user from a device of the user and 
port configuration logic to configure the port module with the one or more packet rules 
associated with the assigned role of the user; and an authentication module to determine the 
assigned role of the user based on the identification information, as recited in claim 40. 



- Therefore, for at least these reasons, claim 40 is not rendered obvious by Nesset in_view 



of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 40 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. Claims 41-44, which 
each depend from claim 40, are patentable over the art of record for at least the same reasons as 
claim 44. Accordingly, Applicant respectfully requests that the rejections of claims 41-44 be 
withdrawn. 

7. Claim 45 Patentablv Distinguishes Over Nesset in View of Dixon 

Claim 45 stands rejected under 35 U.S.C. § 103(a) as purportedly being unpatentable over 
Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above with 
respect to claim 45, combining Nesset and Dixon is improper. Further, even if combining these 
references were proper, claim 45 still distinguishes over such combination. Specifically, such 
combination does not teach or suggest a system for controlling usage of network resources of a 
communications network by a user, wherein the user has an assigned role with respect to the 
communications network, and the assigned role is associated with one or more packet 
rules, each packet rule including a condition and action to be taken if a packet received at a 
device satisfies the condition, the system comprising: a port module including a physical port to 
receive a packet including identification information of the user from a device of the user and 
port configuration logic to configure the port module with the one or more packet rules 
associated with the assigned role of the user; and means for determining the assigned role 
of the user based on the identification information, as recited in claim 45. 
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Therefore, for at least these reasons, claim 45 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 45 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. 

8. Claim 46 Patentably Distinguishes Over Nesset in View of Dixon 

Claim 46 stands rejected under 35 U.S.C. §103(a) as purportedly being unpatentable over 
Nesset in view of Dixon. Applicant respectfully traverses this rejection. As set forth above with 
respect to claim 46, combining Nesset and Dixon is improper. Further, even if combining these 
references were proper, claim 46 still.distinguishes over such combination. Specifically, such 
combination does not teach or suggest a computer program product, comprising: a computer- 
readable medium; and computer-readable signals stored on the computer-readable medium that 
define instructions that, as a result of being executed by a computer, instruct the computer to 
perform a process of controlling usage of network resources of a communications network by a 
user, wherein the user has an assigned role with respect to the communications network, 
and the assigned role is associated with one or more packet rules, each packet rule including 
a condition and action to be taken if a packet received at a device satisfies the condition, the 
process comprising acts of: (A) receiving a packet including identification information of the 
user from a device of the user at a port module of a network device; (B) determining the 
assigned role of the user based on the identification information; and (C) configuring the 
port module with the one or more packet rules associated with the assigned role of the user, 
as recited in claim 46. 

Therefore, for at least these reasons, claim 46 is not rendered obvious by Nesset in view 
of Dixon. Accordingly, Applicant respectfully requests that the rejection of claim 46 under 
§ 103(a) as being unpatentable over Nesset in view of Dixon be withdrawn. 

CONCLUSION 

In view of the foregoing amendments and remarks, this application should now be in 
condition for allowance. A notice to this effect is respectfully requested. If the Examiner 
believes, after this amendment, that the application is not in condition for allowance, the 
Examiner is requested to call the Applicant's attorney at the telephone number listed below. 
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If this response is not considered timely filed and if a request for an extension of time is 

otherwise absent, Applicant hereby requests any necessary extension of time. If there is a fee 

occasioned by this response, including an extension fee that is not covered by an enclosed check, 

please charge any deficiency to Deposit Account No. 50/1 127. 

Respectfully submitted, 

James Richmond et at, Applicants 



By: 
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